[S104] Identity Assertion Logon failed

I didn’t see much answers on this FAS error I had today so here goes.

We have FAS setup at work (Citrix Cloud with Azure AD, so you need FAS because the VDAs don’t have the user passwords and the FAS is what creates a certificate for the user when they are successfully authenticated and the VDA then pulls that certificate from the FAS to sign the user in as if they signed in using a smartcard…) and single sign on wasn’t working. When a user logs in to their VDA they have to enter the username & password and not simply being signed in.

VDAs need port 80 open to the FAS so they can pull the certificate. In my case I did a Test-NetConnection from the VDA and port 80 was open, but in the event logs of the VDA I could see messages like the following (Application Log; Event Id 104; Source Citrix.Authentication.IdentityAssertion):

But on the FAS side I could see a certificate being created and issued in my name (Application Log; Event Id 105; Source Citrix.Authentication.FederatedAuthenticationService):

So clearly the VDA was able to communicate to the FAS, the FAS was receiving the request and issuing a certificate, but the VDA was not seeing that?

I Googled (of course) but got nothing. There’s loads of errors with the [S104] id but they were not about timeouts. I couldn’t find anything on how to increase the timeouts either. Finally I reached out to my firewall guy and turns out while port 80 was open the firewall was blocking traffic based on the application type. Once he allowed SOAP traffic it started working!

So that’s it. Easy fix. Thought I’d post this here in case anyone else stumbles upon a similar issue.

Update: Just for completeness. If a VDA is able to retrieve the certs from FAS you should see Event ID 106 instead and that contains the details.